A few technical questions about NFTs – mutability and off-chain data

I think I have decent understanding of NFTs after reading https://eips.ethereum.org/EIPS/eip-721 but I have the following questions that doesn't seem to have been answered adequately anywhere.

​

1. Issues with mutability of URI in the metadata
   While there are use-cases where it is helpful to have it mutable, I wonder if common implementations employ mutability? If it is mutable, I'm guessing only the current owner can change it? What's stopping them from changing it and point to a completely different asset?

2. What is used for TokenId of NFTs with off-chain data?
   There are many types of NFTs (digital artwork for example) that typically have off-chain data. Assuming availability of off chain data (a tangential problem), am I correct in assuming that the TokenId is typically a hash of the artwork or the json meta-data? More specially, what piece of data on-chain prevents tampering the content hosted off-chain (artwork and the json contents)?

3. Could you please point to some good and bad implementations of NFTs?
   NFTs with off-chain data seems like a recipe for many bad implementations. I read some twitter threads about bad NFT implementations due to where the artwork is hosted and it's availability.

If I were creating an NFT contract with off-chain data, I would do this:

• TokenId: Will be a hash of the asset (the art piece the token aims to represent on-chain). Must be a hash that outputs no more than 256 bits.
• URI: Immutable and hosted on IPFS
• Artwork, preferably also hosted on IPFS

Since both metadata JSON and the artwork are on IPFS, the content cannot be edited without changing the URI itself. This still leaves the problem of these files disappearing from IPFS altogether. Maybe that's not a big problem because the current owner could maintain their own copy of these 2 files and anyone can verify the validity using TokenId and IPFS URI for JSON file?